OPSEC:

Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information

~Wikipedia

I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people…

When it comes to security on a large scale it is usually necessary to setup IDS/IPS to monitor network traffic. But what happens if the attacker already has backdoors installed on your Linux box? The following script will take care of just that, giving the admin a bird’s eye view of what is currently going on, on his system.

For anyone interested in network security and pen testing stuff, Wireshark is the tool to get, as it reveals pretty much everything about a network, the hosts and active services present, traffic volumes, payloads and sometimes login details as well. I was hoping to demonstrate some of that here, using a (publicly available) .pcap file I acquired from somewhere.

My personal method is to start by constructing a picture of the network, which is time consuming but sets the scene for whatever analysis. There are three IP addresses worth looking at:

* 192.168.0.100 – Appears to be a virtual machine running on VMware, and providing a large number of services, including IMAP, MySQL, POP3, HTTPS, domain services, Kerberos, Sun RPC and SMUX.
* 192.168.0.150 – Another VM making a load of requests through outgoing port 34988, so it had to be a proxy server.
* 224.0.0.22 – Multicast router.

Packet inspection is something we’ll read about a lot, especially with the Communications Data Bill going through at the moment, and other stuff. It’s directly related to the how of surveillance, traffic management and sometimes censorship. The technology for intercepting Internet traffic and scanning content is commercially available, but who is using it, and how is it being used? As it happens, Deep Packet Inspection (DPI) is deployed widely enough that there’s a good chance everything going over the Internet unencrypted is being read as it crosses the public Internet.

An Overview of Packet Inspection
First it’s important to recognise there’s a difference between packet inspection and Deep Packet Inspection (DPI). Invented around the mid-1990s, packet inspection was originally for use in a stateful firewall/IDS setup, which is useful where applications might change the ports they’re communicating on, or where someone might attempt…

And here it is the timeline reporting the Cyber Attacks happened during the first half of April 2014, a month probably long remembered within the Infosec Chronicles for the discovery of the terrible Heartbleed bug (two attacks have been recorded, so far, related to this devastating vulnerability).

Besides the infamous Heartbleed, the most important events of this timeline are related to Cyber Crime. Germany in particular had a bad surprise, with the discovery of a list of 18 million compromised e-mail accounts and passwords, affecting all major German Internet service providers. The list of the remarkable targets also includes Lacie, victim of a malware putting at risk the users who performed on-line purchases from the company web site, the Harley Medical Group (500,000 accounts potentially compromised) and, once again, South Korea where unknown hackers were able to steal the personal information of about 200,000 credit card users, racking up…

You can now quickly detect the OpenSSL-Heartbleed vulnerability very quickly on a network using the ever popular nmap command, and with the latest modules from Metasploit you can quickly see the exploit in action.

For this tutorial I will be using a WordPress server and Kali Linux running in two separate VMWare virtual machines.

For a vulnerable server, I used one of Turnkey Linux WordPress VMs. There are security updates available for Turnkey’s WordPress, but during the VM setup, and for this tutorial, I purposefully told the VM NOT to install the security updates so I could test for the OpenSSL vulnerability.

Once the WordPress VM was configured (just answer a few simple questions) I then fired up my Kali Linux VM.

Nmap has created a Heartbleed script that does a great job of detecting vulnerable servers. The script may not be available in your version of Kali, so…